There but for the grace of God goes your CIO/CFO

Much will be written about the loss of a couple of CDs of personal data by HMRC. But it is those organisations which track their data and report such losses that are publicly crucified. Those that keep quiet and cover up...

How many of your organisations keep track of all back-ups, including/especially those sent to offsite recovery or archive centres, encrypt all files leaving the premises (ring-fencing those where this is not practical), have monitoring equipment that detects unauthorised equipment (e.g. USBs) attached to the network, vet all staff with potential access to data (including the cleaners who can read the post-it notes stuck to the screens with the passwords) ... and so on?

And if yours is not one of these, why should I trust it with my data - however many padlocks there are on your website?

And if you were to do all that the security gurus and regulators tell you to, would you still be in business?

The problems are not confined to public sector.

I am told that the FSA has yet to fine a bank which had not itself found and reported the possible data compromise - and all to date have been "possible compromises" - not losses.

At one of the regular networking events where Chief Information Security Officers meet to cry into their beer over the behaviour of their regulators and marketing departments (the source of most vulnerabilities and breaches) I heard the story of the CISO who found and reported a potential serious problem that was also common to all its competitors. His was the only organisation punished by the regulator. The others all denied it had ever happened to them. Worse, it was still happening to some of them.

I recently asked the former head of security of one of the organisations that I would trust with my data, to draft a "Ten Minute Guide" to "Keeping the Board out of Jail while remaining competitive" (particularly how to set the climate that will ensure that good practice is embedded in their core business values as part of their marketing message, not treated as an add-on). This evening I will be taking his first draft to a meeting of the ISSA (Information Systems Security Association) UK chapter group that is planning to work with Get Safe On-line (and any other organisation willing to bring experience and resources to the table) on awareness campaigns, including with support for firms too small to have any in-house security expertise.

At their last meeting the participants (including the CISOs of a couple of other organisations that I would trust with my data) appeared to share the common view that large organisations were well served with advice and guidance and able to protect themselves.

I wonder if the discussion will be different this evening.

Too much current advice is seen to get in the way of running the business and is consequently ignored or bypassed by those "with a business to run".

I did not expect this issue to hit the headlines so soon when I raised the issues of trust last week and quoted one of the speakers at the recent Parliament and Industry conference who suggested that we might have to consider disaggregation and "controlled comunication", rather than integration and always-on, if we wanted our systems to be secure. For that conference I tried to summarise the current state of debate on reducing vulnerability including the tensions over what could/should be done to improve security.

One of the most serious was that between those who believe "systems should be designed to make it faster, easier and more convenient to do what is right than bend the rules in order to run the business" and those who maintain "there is no gain without pain". I should of course add that by "system" I always mean the "people system" that the technology is there to serve.

Many years ago in an article for the IMIS journal (most of whose readers are scattered around the world in its fastest growing markets) I asked "who would you trust to hold your purse in the global electronic bazaar?". Part of my reply today (picking up from my comments in yesterday's blog) would be, "no-one who asks me for information that they do not need in order to do what I want from them".

But I am also only too well aware that thousands in sickness, poor health or otherwise socially excluded suffer unecessarily and even die because the agencies which could/should be able to help them fail to share the information they already hold on their needs. Hence the programme that EURIM has been running for several years on "secure data sharing" and its current Transformational Government Dialogues exercise

This is not an easy debate and the need for realistic guidance on good practice, for those at the top, who carry legal responsibility, is now urgent and overdue - for both private and public sectors..

So too is action to organise to co-ordinate the police response to computer assisted crime, including the response to incidents like that at HMRC, which will hopefully still turn out to be yet another data packet lost in the post.

No TrackBacks

3 Comments

Reference the recent loss of disks by HMRC. I personally do not consider this to be a pure matter of cost-cutting, but more a case of attitude, and bad practice, which can be seen (at times) in some areas of the Public Sector, and Government (sorry) - It just could be the case here that, the circumstance does make a good platform to communicate a political message. Also, given the Public Sector is one of the sectors who report in above average sickness rates, this in itself would be a significant contributory factor to invert pressure on other members of staff who are in work.

I have worked with a number of such organisation, and sadly, it is not always the internal objective to get behind the mission of the business in hand (in this case HMG) – However, I do also believe that on the other side of this debate, whilst it is not so much about cost cutting, on the face of the issue, it can be wrapped up in a matter of over working of the respective employees (which in an inverted sense, is of course related to reducing costs – but of course is presented as Operational Efficiencies, and seeking to get more for less!!) – But then we do live in a world of corporate speak, so read into that what you may.

I also believe that, in this case, technology and process were deployed to protect against the unauthorised exportation of such media, but I gather it was either not working correctly, or simply circumvented for a matter of expediency. However, the Public Sector is not alone here – many commercial organisations are also guilty of this – it’s called paying lip service to security, and can be a common find in some industries. Also, this loss does present another question – were any other disks cut? And could it be possible for them to have been sold on? – eCrime is common, and does not just occur at Outsourced sites.

I am also surprised that the fact that this is child related data has not been picked up on – has anyone considered the ramification of the fact this is also potentially add-on dangerous situation, with a new angle of adverse interest on the data subjects - not necessarily interested on money, but with more a focus on the subject profiles – the Children!

I am very sorry to say that it would seem that some HMG funded organisations upon whom it is incumbent to protect, and advise on such matters of data security, and other related interests of public security exposure, would not seem to be that proactive in dealing the root cause, and effect. Sadly, it looks like the demise of the NHTCU, has after all left a gap in our defences – and this needs to be addressed, and quick!

So in a nutshell, I believe the HMRC had spent money on security, but just like many others, including the commercial sector, they were paying lip service to the policy they had deployed, and it is that simple.

Simply put, IT Security is much more cost effective to manage in the Reactive sense – wait until things go wrong, and then address the exposure – rather than taking the much more efficient route of being Proactive, and deploying sound practices, and procedures, underpin with reality checked Security.

Further to my original posting - the ISSA group idenitified three audiences for awareness and education exercises:

- Consumers, parents and children: where the need is to enourage industry (users as well as suppliers) work with and through organisations like Get Safe-Online, CEOP and Childnet.

- Firms without IT expertises: where the need is to work with and through organisaitons like the Chambers of Commerce and get operations like Yorkshire Safe replicated and supported by the other Regional Developement Authorities and Devovled Administrations.

and

- the budget holders and decisions takers in large organisation whose support is essential in order to embed good practice in risk management in mainstream business planning - as opposed to retro-fitting security after the damage has been done (as commented on by John Walker)

The group put together by the ISSA now includes representatives from the BCS, CMA, IAAC, IISP, IMIS, ISC2 and WCIT.

On wednesday night the group also agreed to look at the production of an "External Directors Guide to Information Risk Management building on, and updating, the best of the material that has already been produced: for example: "Corporate Governance and Information Risk: what every Director must know.". This is only one of a number of higly relevent publication in the archive list on the IAAC website.

If you have equally good, or better material and/or would like to contribute material and resources to this exercise, please let me know and I will pass this on to group.

I should perhaps add that this group is being driven by the UK-basedChief Information Security officers of some of the worlds largest IT users (all Brits though not all their companies are UK-based). Their concern is to secure their partners (including in the public sector) and the organisations in their supply chains as well as the consumers who they wish to transact with them, confidently, on-line, from all around the world - not just the UK.

They are looking to work with partners who are similarly serious - not just those seeking to peddle consultancy or security software - invaluable though the latter can be - if used correctly.

P.S. I have also just received an e-mail from the UK-based CISO of a mulitnational which (like many of its peers) works with e-crime units around the world, complaining that in 2 years of feeding SOCA with informaiton, alerts and all the support that could be hidden in the UK security budget, it had received no feedback at all. " I know the NHTCU were small, but I must say, with hindsight (a wonderful thing) they were more visible." The team at SOCA are doing a great job with limited resource but their terms of reference are all too clear. The sooner the ACPO plans for a greatly expanded NHTCU replacement are approved and funded (on the scale needed, not that currently being discussed) the better.

I have some sympathy for the young chap who sent the CDs. When young, it is easy to get blase about secure data if you handle it every day. In 1948, I was in a small town in Austria, in an outfit laughingly called the Intelligence Corps, interrogating Austrian PoWs on their return from Russia. All paper concerned with these interrogations was Top Secret. We ran out of loo paper, and I was surprised one morning to find some of the draft interrogation reports in its place. We all covered up this lapse.